CN109218284B - XSS vulnerability detection method and device, computer equipment and readable medium - Google Patents

XSS vulnerability detection method and device, computer equipment and readable medium Download PDF

Info

Publication number
CN109218284B
CN109218284B CN201810816579.7A CN201810816579A CN109218284B CN 109218284 B CN109218284 B CN 109218284B CN 201810816579 A CN201810816579 A CN 201810816579A CN 109218284 B CN109218284 B CN 109218284B
Authority
CN
China
Prior art keywords
node
token
request data
attribute
token node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810816579.7A
Other languages
Chinese (zh)
Other versions
CN109218284A (en
Inventor
张琳
马哲超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Baidu Online Network Technology Beijing Co Ltd
Original Assignee
Baidu Online Network Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Baidu Online Network Technology Beijing Co Ltd filed Critical Baidu Online Network Technology Beijing Co Ltd
Priority to CN201810816579.7A priority Critical patent/CN109218284B/en
Publication of CN109218284A publication Critical patent/CN109218284A/en
Application granted granted Critical
Publication of CN109218284B publication Critical patent/CN109218284B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Abstract

The invention provides an XSS vulnerability detection method and device, computer equipment and a readable medium. The method comprises the following steps: decoding a request of a user at least once to obtain request data; performing word segmentation processing on the response of the server to the request to obtain a plurality of token nodes in the response; and detecting whether the XSS vulnerability exists in the request or not according to the request data and each token node. The XSS vulnerability detection scheme is not influenced by complex confusion variants of the attack payload, can effectively reduce false alarm and missing report, and can effectively improve the efficiency and detection performance of XSS vulnerability detection.

Description

XSS vulnerability detection method and device, computer equipment and readable medium
[ technical field ] A method for producing a semiconductor device
The invention relates to the technical field of computer application, in particular to an XSS vulnerability detection method and device, computer equipment and a readable medium.
[ background of the invention ]
Cross-site scripting (XSS) belongs to a very common vulnerability of OWASP TOP 10, and a test behavior for the vulnerability is very common.
XSS attacks are essentially HTML code fragments or HTML tags injected into the DOM tree, HTML code is executed, or the DOM tree structure can be altered, thereby achieving the purpose of the attack. Such as ripping user cookies, breaking page structures, obtaining user information (browser, ip), redirecting to other websites, XSS worms, etc. The existing XSS vulnerability detection generally adopts the following two modes: one mode is a mode matching mode, and the XSS is detected in a regular matching mode; the other method is to perform javascript code fragment detection through a Headless browser.
The existing XSS vulnerability detection scheme based on pattern matching can support simple reflection-type XSS attacks. The principle is that key character strings are described to form various combinations, the meaning of an attack payload cannot be accurately understood, complex confusion variants of the attack payload cannot be covered, and false alarm exist. The existing technical scheme for executing javascript code fragment detection by adopting a thread browser mainly detects key events and key functions in a page, but lacks detection on contents, so that unsolvable false alarm exists. Therefore, the existing XSS vulnerability detection schemes have the defect of poor detection performance.
[ summary of the invention ]
The invention provides an XSS vulnerability detection method and device, computer equipment and a readable medium, which are used for improving XSS vulnerability detection performance.
The invention provides an XSS vulnerability detection method, which comprises the following steps:
decoding a request of a user at least once to obtain request data;
performing word segmentation processing on the response of the server to the request to obtain a plurality of token nodes in the response;
and detecting whether the request has an XSS vulnerability or not according to the request data and each token node.
The invention provides an XSS vulnerability detection device, which comprises:
the decoding module is used for decoding the request of the user at least once to obtain request data;
the word segmentation module is used for carrying out word segmentation on the response of the server to the request to obtain a plurality of token nodes in the response;
and the detection module is used for detecting whether the XSS vulnerability exists in the request or not according to the request data and each token node.
The present invention also provides a computer apparatus, the apparatus comprising:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more programs, cause the one or more processors to implement the XSS vulnerability detection method as described above.
The present invention also provides a computer readable medium having stored thereon a computer program which, when executed by a processor, implements the XSS vulnerability detection method as described above.
According to the XSS vulnerability detection method and device, the computer equipment and the readable medium, the request data is obtained by decoding the request of the user at least once; performing word segmentation processing on the response of the server to the request to obtain a plurality of token nodes in the response; and detecting whether the XSS vulnerability exists in the request or not according to the request data and each token node. The XSS vulnerability detection scheme of the embodiment is not affected by complex confusion variants of attack payload, can effectively reduce false alarm and missing report, and therefore can effectively improve the efficiency and detection performance of XSS vulnerability detection.
[ description of the drawings ]
FIG. 1 is a flowchart illustrating an embodiment of an XSS vulnerability detection method according to the present invention.
Fig. 2 is a structural diagram of a first XSS vulnerability detection apparatus according to an embodiment of the present invention.
Fig. 3 is a structural diagram of a second XSS vulnerability detection apparatus according to an embodiment of the present invention.
FIG. 4 is a block diagram of an embodiment of a computer device of the present invention.
Fig. 5 is an exemplary diagram of a computer device provided by the present invention.
[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.
FIG. 1 is a flowchart illustrating an embodiment of an XSS vulnerability detection method according to the present invention. As shown in fig. 1, the XSS vulnerability detection method of the present embodiment may specifically include the following steps:
100. decoding a request of a user at least once to obtain request data;
101. performing word segmentation processing on the response of the server to the request to obtain a plurality of token nodes in the response;
102. and detecting whether the XSS vulnerability exists in the request or not according to the request data and each token node.
The main execution body of the XSS vulnerability detection method in this embodiment is an XSS vulnerability detection apparatus, and the vulnerability detection apparatus can perform vulnerability detection on each user request. The XSS vulnerability detection device can be in communication connection with the server to obtain the request and the response of the request from the server, perform semantic analysis based on the request and the corresponding response, and detect whether the XSS vulnerability exists in the request.
In particular, the purpose of XSS attacks is to implant malicious code, including html code, scripts, etc., into user pages. The purpose of implanting malicious codes is to steal account numbers, control sensitive data, steal data, hang horses on websites, control damaged machines and the like.
The XSS attack finally introduces dangerous javaScript fragments or inserts html nodes into the dom tree, and based on the method, the embodiment provides a new idea of XSS vulnerability detection: and simultaneously analyzing the request containing the attack payload and the corresponding response, selecting the token node and the attribute in the response, and determining whether the token node, the attribute and the like in the response are triggered by the attack payload in the request. If yes, determining that the token node is triggered by an attack payload in the request, and determining that the request is an XSS attack; otherwise, if all token nodes in the response are not triggered by the attack payload in the request, the request is not XSS attack and is a normal request.
Specifically, the data of the attack payload is carried in the request data, specifically, a part of the request data. In order to obtain the requested data, the present embodiment needs to decode the request of the user once. The request data is obtained. In practical application, the XSS attack may encode the request of the user twice in order to prevent the detection, so in this embodiment, for the request data that is not restored by the primary encoding, it may be considered that the attacker encodes the request data twice in order to prevent the data attacking the payload from being detected, and at this time, the attacker may decode the request data once again, that is, perform secondary decoding in total, to obtain valid request data. In practical applications, by analogy, there may also be a case where the user request needs to be decoded more than twice to obtain valid request data, which is not described herein again. It can be seen that the purpose of processing the request data in the present embodiment is: and decoding the request data in the url and the body of the request after encoding by url encoding, unicode escape and the like. The response data of this embodiment includes html entity characters, and there are four format entity names in practical application: decimal digits, hexadecimal lowercase data and hexadecimal uppercase data respectively correspond to the & entityname; ap(s) And # x 3C; and # X3C. And (4) correctly processing the html entity data and restoring the character, and if the character is not the html entity data, processing the character as a common character and returning.
Processing the request of the user according to the mode, and acquiring the response of the server to the request of the user after acquiring the request data; and performing word segmentation processing on the response of the server to the request to acquire a plurality of token nodes in the response. For example, in this embodiment, the response is analyzed byte by byte through conversion of a finite state machine, so that word segmentation processing is performed on the response according to a token data structure, and a plurality of token nodes are obtained. In this embodiment, responses are analyzed byte by byte, and a process of performing word segmentation processing on the responses according to the token data structure can be understood as a process of semantic analysis word segmentation, and a plurality of token nodes in the responses are finally segmented.
Specifically, the token data structure may include a type, a name, a sum of self-closure, an attribute list, an attribute name, an attribute value, an attribute name range, and an attribute value range. the type of token is divided into types in html, and the types include doctype, comment, startTag, character, endTag, endOfFile and the like. the token data structure completely describes each token node data generated after semantic analysis word segmentation.
In this embodiment, the finite state of the token defined according to the data structure of the token includes: the initial data state, token start state, token end state, token name start state, token name character state, attribute name start state, attribute name character state, attribute value start state, attribute value character state, attribute value end state, character data state, etc. total 71 finite states. And analyzing the response byte by byte through the conversion of a finite state machine, and realizing word segmentation processing on the response according to a token data structure to obtain a plurality of token nodes. For example, the beginning of a token node is a data state, and the completion of token analysis is also a data state. Specifically, the state jump can be completed byte by byte according to the analysis logic in html, and a complete token node is obtained according to the round of the initial data state.
The purpose of analyzing the response data byte by byte in this embodiment is to acquire the current character, acquire the next character, calculate the number of characters consumed, and determine whether the character is a special character. Special characters include (next line, double byte character, & etc.).
In addition, the response data contains different codes, character system types, character case, characters ascii, hexadecimal, case conversion and the like. When analyzing response data byte by byte, defining some basic functions in the character processing process includes: character ascii code judgment, capital character judgment, capital and small character conversion, hexadecimal character conversion, blank character judgment, hexadecimal array judgment and the like, so as to realize effective processing of response data.
Based on the processing process, the request of the user is effectively processed to obtain the request data, and meanwhile, after the response is effectively processed to obtain the plurality of token nodes, whether the XSS vulnerability exists in the plurality of token nodes can be detected according to the request data. Because if the request is an XSS attack, the attack payload is carried in the request data, and some token nodes in the response of the server are triggered by the attack payload. Based on the method, whether the XSS vulnerability exists in the request or not can be detected according to the request data and each token node.
Further optionally, in step 102, "detect whether an XSS vulnerability exists in the request according to the request data and each token node", in this embodiment, the method specifically includes the following steps:
(a) verifying whether each token node is an inserting node of an XSS vulnerability or not according to the request data and each token node;
and for any token node, verifying whether the token node is an XSS vulnerability insertion node according to the request data and the token node, namely comparing the content of the token node with the content of the request data, and judging whether part of the content exists in the token node in the request data. That is, whether the content of the token node and the content of the request data have the same segment is judged. If there is a same segment in the two, part of the token node exists in the request data. Then the same segment is the data of the attack payload, which means that the token node in the response is triggered by the attack payload in the request, and the token node is the insertion point of the XSS vulnerability.
(b) Judging whether an XSS vulnerability insertion node exists in the plurality of token nodes, and executing the step (c) if the XSS vulnerability insertion node exists in the plurality of token nodes; otherwise, if the inserting node of the XSS vulnerability does not exist in the plurality of token nodes, executing the step (d);
(c) determining that the request has XSS vulnerability, and ending;
(d) and determining that the request is a normal request, and ending.
For the purpose of XSS attack, an attacker can select the tags or attributes meeting the requirements to realize the attack. For example, an XSS attack may include the following scenarios:
in case A, a malicious javascript fragment is implanted, the original javascript logic is modified or the javascript fragment is inserted, and the attributes of the related attacks can exist in the following categories:
1. modifying a javascript fragment (token detection corresponding to the character type);
2. src attribute in script tag;
3. the href attribute in the ript tag;
4. the value contains the attribute of "javascript:" (regardless of the label);
5. a values attribute, when containing a plurality of attribute values.
And in case B, implanting a malicious event, automatically running or running depending on related operations under the condition of meeting the conditions, wherein the attribute of the attack can be as follows: the attribute values satisfy the attributes of onxxx (regardless of the label).
Case C, an introduced external malicious url, the attributes of the relevant attacks may exist in the following categories:
1. data attribute of object tag
2. Class id attribute of object tag (related to url, usually related to java class);
3. the name attribute and the value attribute of the param tag;
4. the src attribute of the embed tag;
5. code attribute of the embed label;
6. code attribute of applet tag;
7. src attribute of frame tag;
8. the href attribute of the base tag;
9. action attribute of form label;
10. a formaltion attribute of the input tag;
11. a format attribute of the button label;
case D, other hazardous operations, such as:
if the attack embedded content is of MIME type (e.g. flash embedded with xss, etc.), the corresponding attack point may be the type attribute of the embed tag;
if the embedded object resource is attacked, the corresponding attack point may be an object attribute (similar to the object tag) of the applet tag;
if the attack modifies the response header content or the cookie content, the corresponding attack point may be the http _ equiv attribute of the meta tag.
For the above attack attributes of the XSS attack, correspondingly, step (a) "in this embodiment, according to the request data and each token node, verifying whether each token node is an insertion node of the XSS vulnerability, specifically includes the following situations:
and in the case A, verifying whether a malicious javascript fragment is implanted into the corresponding token node or not according to the request data for each token node, if so, determining that the corresponding token node is an inserting node of the XSS vulnerability, otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
And B, verifying whether a malicious event is implanted into the corresponding token node or not according to the request data for each token node, if so, determining that the corresponding token node is an inserting node of the XSS vulnerability, otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
And C, verifying whether an external malicious url is introduced into the corresponding token node or not according to the request data for each token node, if so, determining that the corresponding token node is an inserting node of the XSS vulnerability, otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
The situation D is that for each token node, whether other dangerous operations are contained in the corresponding token node is verified according to the request data; and if so, determining that the corresponding token node is an insertion node of the XSS vulnerability, otherwise, determining that the corresponding token node is not the insertion node of the XSS vulnerability.
Further, as for the "verifying whether a malicious javascript fragment is implanted in the corresponding token node according to the request data" in the case a, the method may specifically include any one of the following:
(a1) if the type of the token node is the character type, judging whether part of fragments in javaScript fragments in the token node exist in the request data or not;
specifically, matching and comparing the javaScript fragment in the token node with the request data, judging whether the javaScript fragment and the request data have a common fragment, and if the javaScript fragment and the request data have the common fragment, considering that the common fragment in the javaScript fragment in the token node exists in the request data. The partially common segment may be considered attack payload data, and the token node in the response is triggered due to the existence of the attack payload data in the request. Therefore, the request has an XSS vulnerability, and the token node is the insertion point of the XSS vulnerability.
(b1) If the type of the token node is script tag, judging whether the corresponding content of src attribute or xlink-href attribute exists in the request data;
in this embodiment, when determining whether or not the content corresponding to each attribute exists in the request data, the segment matching is performed in a manner of "attribute name is attribute value". The token node and the fragment with the same attribute name in the request data are matched and compared, whether the fragment in the token node exists in the request data or not is judged, if yes, the corresponding content of the attribute exists in the request data is determined, and therefore the token node can be further determined to be an XSS vulnerability insertion node. Otherwise, if the attribute is inconsistent with the attribute, determining that the corresponding content of the attribute does not exist in the request data, and further determining that the token node is not an inserting node of the XSS vulnerability.
It should be noted that, since the server performs special processing on special characters in the token node of the response data, in order to ensure that the attribute values in the token node and the corresponding attribute values in the request data are effectively matched, in this embodiment, the attribute values of some attributes are truncated, for example, for the attribute values of the src attribute, according to some special specials, such as "&", "? The truncation is performed by "", "#", "\\" etc., and only the segments preceding the special character can be taken as valid attribute value segments. And for the attribute value of the script attribute, performing truncation processing according to the code line-feed habit of the javascript, and taking only the fragment reserved after truncation as an effective attribute value fragment. Similarly, for the attribute value of the normal attribute, truncation processing may be performed after the attribute content exceeds 100 characters, and only the segment remaining after truncation is taken as an effective attribute value segment. Finally, a matching comparison segment of which the attribute name is the truncated attribute value is formed by combining the attribute names, and then whether the request data comprises the matching comparison segment of which the attribute name is the truncated attribute value in the token node is judged, and if the matching comparison segment of which the attribute name is the truncated attribute value is included, the corresponding content of the attribute exists in the request data is described. In practical application, different truncation processing strategies can be adopted according to different attributes so as to improve the matching and comparison efficiency. Or the attribute values of some attributes may not be cut off, and the segment matching comparison is performed by using "attribute name is all attribute values".
In the step, according to an src attribute truncation processing strategy, an src attribute and an xlink attribute href are taken as a segment of 'attribute name is an attribute value after truncation processing' in a token node, then the segment is matched and compared with request data, whether the segment exists in the request data is judged, if yes, the corresponding content of the attribute exists in the request data is determined, and therefore the token node can be further determined to be an inserting node of an XSS vulnerability. Otherwise, if the attribute is inconsistent with the attribute, determining that the corresponding content of the attribute does not exist in the request data, and further determining that the token node is not an inserting node of the XSS vulnerability.
(c1) For the attribute of which any attribute value contains javascript, judging whether part of javascript fragments in the attribute value exist in the request data or not; and
in this step, the "javascript" fragment in the attribute value may be cut according to the attribute value of the script attribute. Similarly, the attribute name in the token node and the request data is taken as the attribute value after the truncation processing, the fragment is matched and compared with the request data, and it is determined whether the token node is the insertion point of the XSS vulnerability or not according to the manner of the above embodiment. And will not be described in detail herein.
(d1) When the values attribute includes a plurality of attribute values, it is determined whether the values attribute and the corresponding content of the attribute values are present in the request data.
In this step, each attribute value of the values attribute is analyzed independently without performing truncation processing. When the values attribute fragments are matched and compared, two fragments of ' values ═ and ' attribute values ' are taken from the token node; and when the two fragments in the token node are respectively matched and compared with the request data, if both fragments exist in the request data, the token node is an XSS vulnerability insertion point, otherwise, the token node is not the XSS vulnerability insertion point. And because the values attribute has a plurality of attribute values, as long as two segments "values" and "attribute values" corresponding to one attribute value exist in the request data, the token node can be determined to be the insertion point of the XSS vulnerability.
Further, for "verifying whether a malicious event is implanted in the corresponding token node according to the request data" in the case B, the method may specifically include: for the attributes of onxxx, it is determined whether the corresponding content of the attribute is present in the request data.
The attribute value of the onxxx attribute in this embodiment may be truncated in a manner of truncating the attribute value of the script attribute. And generating a segment matched and compared with the request data based on the attribute value after the truncation. And then determining whether the token node is an insertion point of the XSS vulnerability or not according to the mode of the embodiment. And will not be described in detail herein.
Further, for "verifying whether an external malicious url is introduced into the corresponding token node according to the request data" in the case C, the method may specifically include any one of the following:
(a2) if the type of the token node is the object label, judging whether the corresponding content of the data attribute or the classid attribute exists in the request data;
the classid attribute of this embodiment is associated with url, typically java class. (b2) If the type of the token node is a param label, judging whether the corresponding content of the name attribute or the value attribute exists in the request data;
(c2) if the type of the token node is an embed label, judging whether the corresponding content of the src attribute or the code attribute exists in the request data;
(d2) if the type of the token node is an applet label, judging whether the corresponding content of the code attribute exists in the request data;
(e2) if the type of the token node is a frame tag, judging whether the corresponding content of the src attribute exists in the request data;
(f2) if the type of the token node is a base label, judging whether the corresponding content of the href attribute exists in the request data;
(g2) if the type of the token node is a form label, judging whether the corresponding content of the action attribute exists in the request data; and
(h2) and if the type of the token node is an input or a button label, judging whether the corresponding content of the format attribute exists in the request data.
In the above steps (a2) - (h2) of this embodiment, the attribute value of the data attribute may be cut in a manner of cutting the attribute value of the src attribute. The attribute value of the classid attribute can be cut in a cut-off processing mode of the attribute value of the normal attribute. The attribute value of the name attribute or the value attribute may be truncated in a manner of truncation of the attribute value of the src attribute. The attribute value of the code attribute may be truncated in accordance with the truncation processing method of the attribute value of the src attribute. The attribute value of the format attribute may be truncated in a manner of truncation of the attribute value of the src attribute. The attribute values of the href attribute and the action attribute may be truncated in a manner of truncation of the attribute value of the normal attribute. Subsequently, based on the truncated attribute value, a matching comparison segment "attribute name is the truncated attribute value" is correspondingly generated, and then, according to the manner of the above embodiment, it is verified whether the matching comparison segment exists in the request data, and further, it is determined whether the token node is an insertion point of the XSS vulnerability.
Further, for "verifying whether the corresponding token node includes other dangerous operations according to the request data" in the case D, the method may specifically include any one of the following:
(a3) if the type of the token node is an embed label, judging whether the corresponding content of the type attribute exists in the request data;
this step corresponds to the case where the XSS attack is of the embedded content MIME type, such as embedding a flash containing XSS, or the like.
(b3) If the type of the token node is the applet label, judging whether the corresponding content of the object attribute exists in the request data; and
this step corresponds to XSS attacks of the embedded object asset type. The object property is similar to the object tag.
(c3) If the type of the token node is the meta tag, judging whether the corresponding content of the type attribute exists in the request data.
This step corresponds to the case where an XSS attack is modifying the response header content or the cookie content.
In steps (a3) - (c3) of this embodiment, the type attribute of the embed tag, the object attribute of the applet tag, and the type attribute of the meta tag may all be subjected to the truncation processing in the manner of the truncation processing of the attribute value of the normal attribute. Subsequently, based on the truncated attribute value, a matching comparison segment "attribute name is the truncated attribute value" is correspondingly generated, and then, according to the manner of the above embodiment, it is verified whether the matching comparison segment exists in the request data, and further, it is determined whether the token node is an insertion point of the XSS vulnerability.
According to the method of the embodiment, any token node in the response can be verified, and whether each token node is an insertion node of the XSS vulnerability is determined. Then, judging whether an XSS vulnerability insertion node exists in the plurality of token nodes or not according to the detection results of all the token nodes, and determining that the XSS attack exists in the request of the user as long as one XSS vulnerability insertion node exists in the plurality of token nodes; only if none of the plurality of token nodes that respond is an intervening node of an XSS vulnerability can it be determined that the user's request does not present an XSS attack.
All the processing procedures of this embodiment may be recorded in a log, for example, the recorded log content may include: url decoding process, html entity analysis process, backspacing record, finite state machine skip, token structure information, lexical matching process and the like.
In the XSS vulnerability detection method of this embodiment, after determining that the XSS vulnerability exists in the request of the user, the XSS vulnerability detection apparatus of this embodiment needs to output a detection result to other programs or products. Specifically, the detection result is output in a protobuf format to ensure universality among different languages. Further, since it has been verified in the above embodiment that whether each token node is an XSS vulnerability insertion node, if a certain token node is an XSS vulnerability insertion node, information of the XSS insertion node may also be output in the detection result, for example, the information of the XSS insertion node may be other identification information such as a name of the XSS insertion node.
In the XSS vulnerability detection method of the embodiment, request data is obtained by decoding a request of a user at least once; performing word segmentation processing on the response of the server to the request to obtain a plurality of token nodes in the response; and detecting whether the XSS vulnerability exists in the request or not according to the request data and each token node. According to the technical scheme of the embodiment, whether the XSS vulnerability exists in the request or not is detected according to the request data and the token nodes, the XSS vulnerability is monitored based on the content, attack payload and behavior segments in the response can be analyzed, and the reflection-type XSS can be detected more accurately; in addition, for the partial storage type XSS attack, the technical solution of the embodiment may also detect the partial storage type XSS attack. In addition, the XSS vulnerability detection scheme of the embodiment is not affected by complex confusion variants of the attack payload, and can effectively reduce false alarm and missing report, so that the efficiency and the detection performance of XSS vulnerability detection can be effectively improved. In addition, compared with the existing method for detecting the javascript code fragment executed by the headset browser, the method can realize detection based on the content, thereby avoiding false alarm of XSS vulnerability detection and improving the efficiency and the detection performance of XSS vulnerability detection.
With the complexity of XSS attack payload increasing, the existing common detection means cannot meet the requirement of XSS vulnerability detection, and therefore the XSS vulnerability detection scheme provided by the embodiment of the invention is provided. Through experimental verification, the detection rate of the XSS vulnerability detection scheme is 93%, compared with the existing technical scheme, the detection rate and accuracy are improved by one time, and the XSS vulnerability detection performance can be effectively improved. Meanwhile, the XSS vulnerability detection scheme of the embodiment can be used as a basic module to output detection results, can be conveniently applied to other products, improves the commercial value of related products, and has very strong practicability.
Fig. 2 is a structural diagram of a first XSS vulnerability detection apparatus according to an embodiment of the present invention. As shown in fig. 2, the XSS vulnerability detection apparatus of this embodiment may specifically include:
the decoding module 10 decodes the request of the user at least once to obtain the request data;
the word segmentation module 11 performs word segmentation processing on the response of the server to the request to acquire a plurality of token nodes in the response;
the detection module 12 detects whether the XSS vulnerability exists in the request according to the request data decoded by the decoding module 10 and each token node obtained by the word segmentation processing of the word segmentation module 11.
The XSS vulnerability detection apparatus of this embodiment implements the XSS vulnerability detection by using the module according to the same implementation principle and technical effect as those of the related method embodiments, and reference may be made to the description of the related method embodiments in detail, which is not repeated herein.
Fig. 3 is a structural diagram of a second XSS vulnerability detection apparatus according to an embodiment of the present invention. As shown in fig. 3, the XSS vulnerability detection apparatus of the present embodiment further introduces the technical solution of the present invention in more detail based on the technical solution of the embodiment shown in fig. 2.
In the XSS vulnerability detection apparatus of this embodiment, the word segmentation module 11 is specifically configured to analyze the response byte by byte through conversion of a finite state machine, and implement word segmentation processing on the response according to a token data structure to obtain a plurality of token nodes.
As shown in fig. 3, in the XSS vulnerability detection apparatus of this embodiment, the detection module 12 specifically includes:
the verification unit 121 is configured to verify whether each token node is an insertion node of an XSS vulnerability according to the request data obtained by decoding by the decoding module 10 and each token node obtained by word segmentation processing by the word segmentation module 11;
the determining unit 122 is configured to determine whether an XSS vulnerability insertion node exists in the token nodes based on the verification result of the verifying unit 121; if yes, determining that the XSS vulnerability exists in the request; otherwise, if the XSS vulnerability insertion node does not exist in the plurality of token nodes, determining that the request is a normal request.
Further optionally, the verification unit 121 is specifically configured to: and for each token node, verifying whether a malicious javascript fragment is implanted in the corresponding token node according to the request data, if so, determining that the corresponding token node is an inserting node of the XSS vulnerability, otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
Correspondingly, at this time, the verification unit 121 is specifically configured to perform any one of the following operations:
if the type of the token node is the character type, judging whether part of fragments in javaScript fragments in the token node exist in the request data or not;
if the type of the token node is script tag, judging whether the corresponding content of src attribute or xlink-href attribute exists in the request data;
for the attribute of which any attribute value contains javascript, judging whether part of javascript fragments in the attribute value exist in the request data or not; and
when the value attribute includes a plurality of attribute values, it is determined whether the value attribute and the corresponding content of the attribute value exist in the request data.
Further optionally, the verification unit 121 is specifically configured to: and for each token node, verifying whether a malicious event is implanted in the corresponding token node or not according to the request data, if so, determining that the corresponding token node is an inserting node of the XSS vulnerability, otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
Correspondingly, at this time, the verifying unit 121 is specifically configured to determine, for the attribute of the onxxx, whether the corresponding content of the attribute exists in the request data.
Further optionally, the verification unit 121 is specifically configured to: for each token node, verifying whether an external malicious url is introduced into the corresponding token node according to the request data; and if so, determining that the corresponding token node is an insertion node of the XSS vulnerability, otherwise, determining that the corresponding token node is not the insertion node of the XSS vulnerability.
Correspondingly, at this time, the verification unit 121 is specifically configured to perform any one of the following operations:
if the type of the token node is the object label, judging whether the corresponding content of the data attribute or the classid attribute exists in the request data;
if the type of the token node is a param label, judging whether the corresponding content of the name attribute or the value attribute exists in the request data;
if the type of the token node is an embed label, judging whether the corresponding content of the src attribute or the code attribute exists in the request data;
if the type of the token node is an applet label, judging whether the corresponding content of the code attribute exists in the request data;
if the type of the token node is a frame tag, judging whether the corresponding content of the src attribute exists in the request data;
if the type of the token node is a base label, judging whether the corresponding content of the href attribute exists in the request data;
if the type of the token node is a form label, judging whether the corresponding content of the action attribute exists in the request data; and
and if the type of the token node is an input or a button label, judging whether the corresponding content of the format attribute exists in the request data.
Further optionally, the verification unit 121 is specifically configured to: and for each token node, verifying whether other dangerous operations are contained in the corresponding token node or not according to the request data, if so, determining that the corresponding token node is an inserting node of the XSS vulnerability, and otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
Correspondingly, at this time, the verification unit 121 is specifically configured to perform any one of the following operations:
if the type of the token node is an embed label, judging whether the corresponding content of the type attribute exists in the request data;
if the type of the token node is the applet label, judging whether the corresponding content of the object attribute exists in the request data; and
if the type of the token node is the meta tag, judging whether the corresponding content of the type attribute exists in the request data.
The XSS vulnerability detection apparatus of this embodiment implements the XSS vulnerability detection by using the module according to the same implementation principle and technical effect as those of the related method embodiments, and reference may be made to the description of the related method embodiments in detail, which is not repeated herein.
FIG. 4 is a block diagram of an embodiment of a computer device of the present invention. As shown in fig. 4, the computer device of the present embodiment includes: one or more processors 30, and a memory 40, the memory 40 being configured to store one or more programs, when the one or more programs stored in the memory 40 are executed by the one or more processors 30, the one or more processors 30 being configured to implement the XSS vulnerability detection method according to the embodiment shown in fig. 1 above. The embodiment shown in fig. 4 is exemplified by including a plurality of processors 30.
For example, fig. 5 is an exemplary diagram of a computer device provided by the present invention. FIG. 5 illustrates a block diagram of an exemplary computer device 12a suitable for use in implementing embodiments of the present invention. The computer device 12a shown in fig. 5 is only an example and should not bring any limitations to the functionality or scope of use of the embodiments of the present invention.
As shown in FIG. 5, computer device 12a is in the form of a general purpose computing device. The components of computer device 12a may include, but are not limited to: one or more processors 16a, a system memory 28a, and a bus 18a that connects the various system components (including the system memory 28a and the processors 16 a).
Bus 18a represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Computer device 12a typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer device 12a and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28a may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30a and/or cache memory 32 a. Computer device 12a may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34a may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 5, commonly referred to as a "hard drive"). Although not shown in FIG. 5, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18a by one or more data media interfaces. System memory 28a may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of the various embodiments of the invention described above in fig. 1-3.
A program/utility 40a having a set (at least one) of program modules 42a may be stored, for example, in system memory 28a, such program modules 42a including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may include an implementation of a network environment. Program modules 42a generally perform the functions and/or methodologies described above in connection with the various embodiments of fig. 1-3 of the present invention.
Computer device 12a may also communicate with one or more external devices 14a (e.g., keyboard, pointing device, display 24a, etc.), with one or more devices that enable a user to interact with computer device 12a, and/or with any devices (e.g., network card, modem, etc.) that enable computer device 12a to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22 a. Also, computer device 12a may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet) through network adapter 20 a. As shown, network adapter 20a communicates with the other modules of computer device 12a via bus 18 a. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with computer device 12a, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processor 16a executes various functional applications and data processing by executing programs stored in the system memory 28a, for example, implementing the XSS vulnerability detection method shown in the above embodiment.
The present invention also provides a computer readable medium, on which a computer program is stored, which when executed by a processor implements the XSS vulnerability detection method as shown in the above embodiments.
The computer-readable media of this embodiment may include RAM30a, and/or cache memory 32a, and/or storage system 34a in system memory 28a in the embodiment illustrated in fig. 5 described above.
With the development of technology, the propagation path of computer programs is no longer limited to tangible media, and the computer programs can be directly downloaded from a network or acquired by other methods. Accordingly, the computer-readable medium in the present embodiment may include not only tangible media but also intangible media.
The computer-readable medium of the present embodiments may take any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (22)

1. An XSS vulnerability detection method, comprising:
decoding a request of a user at least once to obtain request data;
performing word segmentation processing on the response of the server to the request to obtain a plurality of token nodes in the response;
detecting whether an XSS vulnerability exists in the request or not according to the request data and each token node, wherein if the same fragments exist in the request data and the token nodes, the XSS vulnerability exists in the token nodes;
performing word segmentation processing on the response of the server to the request to obtain a plurality of token nodes in the response, specifically comprising:
analyzing the responses byte by byte through state conversion of a finite state machine, and implementing word segmentation processing on the responses according to a token data structure to obtain a plurality of token nodes, wherein the state of the finite state machine comprises the state in the token data structure.
2. The method according to claim 1, wherein detecting whether an XSS vulnerability exists in the request according to the request data and each token node specifically comprises:
verifying whether each token node is an inserting node of an XSS vulnerability or not according to the request data and each token node;
judging whether an inserting node of an XSS vulnerability exists in the plurality of token nodes, and if so, determining that the XSS vulnerability exists in the request; otherwise, if the request does not exist, determining that the request is a normal request.
3. The method according to claim 2, wherein verifying whether each token node is an insertion node of an XSS vulnerability according to the request data and each token node specifically comprises:
and for each token node, verifying whether a malicious javascript fragment is implanted into the corresponding token node or not according to the request data, if so, determining that the corresponding token node is an inserting node of an XSS vulnerability, otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
4. The method according to claim 3, wherein verifying whether a malicious javascript fragment is embedded in the corresponding token node according to the request data specifically includes any one of:
if the type of the token node is a character type, judging whether part of fragments in javaScript fragments in the token node exist in the request data;
if the type of the token node is script tag, judging whether corresponding content of src attribute or xlink-href attribute exists in the request data;
for the attribute of which any attribute value contains javascript, judging whether part of javascript fragments in the attribute values exist in the request data or not; and
when a value attribute includes a plurality of attribute values, it is determined whether the value attribute and the corresponding content of the attribute value are present in the request data.
5. The method according to claim 2, wherein verifying whether each token node is an insertion node of an XSS vulnerability according to the request data and each token node specifically comprises:
and for each token node, verifying whether a malicious event is implanted into the corresponding token node or not according to the request data, if so, determining that the corresponding token node is an inserting node of an XSS vulnerability, otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
6. The method according to claim 5, wherein verifying whether a malicious event is implanted in the corresponding token node according to the request data specifically includes:
and judging whether the corresponding content of the attribute exists in the request data or not for the attribute of the onxxx.
7. The method according to claim 2, wherein verifying whether each token node is an insertion node of an XSS vulnerability according to the request data and each token node specifically comprises:
for each token node, verifying whether an external malicious url is introduced into the corresponding token node according to the request data; if so, determining that the corresponding token node is an insertion node of the XSS vulnerability, otherwise, determining that the corresponding token node is not the insertion node of the XSS vulnerability.
8. The method according to claim 7, wherein verifying whether an external malicious url is introduced into the corresponding token node according to the request data specifically includes any one of:
if the type of the token node is an object label, judging whether the corresponding content of the data attribute or the classid attribute exists in the request data;
if the type of the token node is a param label, judging whether the corresponding content of the name attribute or the value attribute exists in the request data;
if the type of the token node is an embed label, judging whether corresponding content of the src attribute or the code attribute exists in the request data;
if the type of the token node is an applet label, judging whether the corresponding content of the code attribute exists in the request data;
if the type of the token node is a frame tag, judging whether the corresponding content of the src attribute exists in the request data;
if the type of the token node is a base label, judging whether the corresponding content of the href attribute exists in the request data;
if the type of the token node is a form label, judging whether the corresponding content of the action attribute exists in the request data; and
and if the type of the token node is an input or a button label, judging whether the corresponding content of the format attribute exists in the request data.
9. The method according to claim 2, wherein according to the request data and each token node, verifying whether each token node is an insertion node of an XSS vulnerability exists in particular in:
and for each token node, verifying whether other dangerous operations are contained in the corresponding token node according to the request data, if so, determining that the corresponding token node is an inserting node of an XSS vulnerability, otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
10. The method according to claim 9, wherein verifying whether the token node corresponding to the request data includes other dangerous operations includes any one of the following specific steps:
if the type of the token node is an embed tag, judging whether the corresponding content of the type attribute exists in the request data;
if the type of the token node is an applet label, judging whether the corresponding content of the object attribute exists in the request data; and
and if the type of the token node is a meta tag, judging whether the corresponding content of the type attribute exists in the request data.
11. An XSS vulnerability detection apparatus, the apparatus comprising:
the decoding module is used for decoding the request of the user at least once to obtain request data;
the word segmentation module is used for carrying out word segmentation on the response of the server to the request to obtain a plurality of token nodes in the response;
the detection module is used for detecting whether the XSS vulnerability exists in the request or not according to the request data and each token node, wherein if the same segment exists in the request data and the token node, the XSS vulnerability exists in the token node;
the word segmentation module is specifically configured to analyze the response byte by byte through state conversion of a finite state machine, to implement word segmentation processing on the response according to a token data structure, and obtain a plurality of token nodes, where the state of the finite state machine includes a state in the token data structure.
12. The apparatus according to claim 11, wherein the detecting module specifically includes:
the verification unit is used for verifying whether each token node is an inserting node of an XSS vulnerability or not according to the request data and each token node;
the determining unit is used for judging whether an XSS vulnerability inserting node exists in the token nodes or not based on the verification result of the verifying unit; if yes, determining that the request has an XSS vulnerability; otherwise, if the request does not exist, determining that the request is a normal request.
13. The apparatus according to claim 12, wherein the verification unit is specifically configured to:
and for each token node, verifying whether a malicious javascript fragment is implanted into the corresponding token node or not according to the request data, if so, determining that the corresponding token node is an inserting node of an XSS vulnerability, otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
14. The apparatus according to claim 13, wherein the verification unit is specifically configured to perform any one of the following operations:
if the type of the token node is the character type, judging whether javaScript fragments in the token node exist in the request data or not;
if the type of the token node is script tag, judging whether src attribute or xlink-href attribute exists in the request data;
for the attribute of any attribute value containing javascript, judging whether the javascript fragment in the attribute value exists in the request data; and
when a value attribute includes a plurality of attribute values, it is determined whether or not each of the attribute values exists in the request data.
15. The apparatus according to claim 12, wherein the verification unit is specifically configured to:
and for each token node, verifying whether a malicious event is implanted into the corresponding token node or not according to the request data, if so, determining that the corresponding token node is an inserting node of an XSS vulnerability, otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
16. The apparatus according to claim 15, wherein the verifying unit is specifically configured to determine, for an attribute of an onxxx, whether a corresponding attribute value is present in the request data.
17. The apparatus according to claim 16, wherein the verification unit is specifically configured to:
for each token node, verifying whether an external malicious url is introduced into the corresponding token node according to the request data; if so, determining that the corresponding token node is an insertion node of the XSS vulnerability, otherwise, determining that the corresponding token node is not the insertion node of the XSS vulnerability.
18. The apparatus according to claim 17, wherein the verification unit is specifically configured to perform any one of the following operations:
if the type of the token node is an object label, judging whether a data attribute or a classid attribute exists in the request data;
if the type of the token node is a param label, judging whether a name attribute or a value attribute exists in the request data;
if the type of the token node is an embed label, judging whether the src attribute or the code attribute exists in the request data;
if the type of the token node is an applet label, judging whether code attributes exist in the request data or not;
if the type of the token node is a frame tag, judging whether src attributes exist in the request data;
if the type of the token node is a base label, judging whether the href attribute exists in the request data;
if the type of the token node is a form label, judging whether an action attribute exists in the request data; and
and if the type of the token node is an input or a button label, judging whether a format attribute exists in the request data.
19. The apparatus according to claim 12, wherein the verification unit is specifically configured to:
and for each token node, verifying whether other dangerous operations are contained in the corresponding token node according to the request data, if so, determining that the corresponding token node is an inserting node of an XSS vulnerability, otherwise, determining that the corresponding token node is not the inserting node of the XSS vulnerability.
20. The apparatus according to claim 19, wherein the verification unit is specifically configured to perform any one of the following operations:
if the type of the token node is an embed tag, judging whether a type attribute exists in the request data;
if the type of the token node is an applet label, judging whether object attributes exist in the request data or not; and
and if the type of the token node is a meta tag, judging whether a type attribute exists in the request data.
21. A computer device, the device comprising:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-10.
22. A computer-readable medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-10.
CN201810816579.7A 2018-07-24 2018-07-24 XSS vulnerability detection method and device, computer equipment and readable medium Active CN109218284B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810816579.7A CN109218284B (en) 2018-07-24 2018-07-24 XSS vulnerability detection method and device, computer equipment and readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810816579.7A CN109218284B (en) 2018-07-24 2018-07-24 XSS vulnerability detection method and device, computer equipment and readable medium

Publications (2)

Publication Number Publication Date
CN109218284A CN109218284A (en) 2019-01-15
CN109218284B true CN109218284B (en) 2021-11-23

Family

ID=64990204

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810816579.7A Active CN109218284B (en) 2018-07-24 2018-07-24 XSS vulnerability detection method and device, computer equipment and readable medium

Country Status (1)

Country Link
CN (1) CN109218284B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257389A (en) * 2020-09-22 2022-03-29 北京安全共识科技有限公司 Reflection-type XSS detection method and device based on syntactic analysis

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103500118A (en) * 2013-10-24 2014-01-08 北京奇虎科技有限公司 Method and device for optimizing cascading style sheet
CN105426711A (en) * 2015-11-18 2016-03-23 北京理工大学 Similarity detection method of computer software source code
CN105471821A (en) * 2014-08-29 2016-04-06 腾讯科技(深圳)有限公司 Browser-based information processing method and device
CN106790007A (en) * 2016-12-13 2017-05-31 武汉虹旭信息技术有限责任公司 Web attack defending systems and its method based on XSS and CSRF
CN106951784A (en) * 2017-02-23 2017-07-14 南京航空航天大学 A kind of Web application conversed analysis methods towards XSS Hole Detections
CN107153564A (en) * 2017-06-22 2017-09-12 拜椰特(上海)软件技术有限公司 A kind of morphology analytical tool

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8751826B2 (en) * 2009-04-01 2014-06-10 Salesforce.Com, Inc. Enhanced system security
US9098722B2 (en) * 2013-03-15 2015-08-04 Prevoty, Inc. Systems and methods for parsing user-generated content to prevent attacks
WO2015142697A1 (en) * 2014-03-15 2015-09-24 Belva Kenneth F Methods for determining cross-site scripting and related vulnerabilities in applications
US10129285B2 (en) * 2016-04-27 2018-11-13 Sap Se End-to-end taint tracking for detection and mitigation of injection vulnerabilities in web applications
CN107659555B (en) * 2016-08-30 2020-08-11 北京长亭未来科技有限公司 Network attack detection method and device, terminal equipment and computer storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103500118A (en) * 2013-10-24 2014-01-08 北京奇虎科技有限公司 Method and device for optimizing cascading style sheet
CN105471821A (en) * 2014-08-29 2016-04-06 腾讯科技(深圳)有限公司 Browser-based information processing method and device
CN105426711A (en) * 2015-11-18 2016-03-23 北京理工大学 Similarity detection method of computer software source code
CN106790007A (en) * 2016-12-13 2017-05-31 武汉虹旭信息技术有限责任公司 Web attack defending systems and its method based on XSS and CSRF
CN106951784A (en) * 2017-02-23 2017-07-14 南京航空航天大学 A kind of Web application conversed analysis methods towards XSS Hole Detections
CN107153564A (en) * 2017-06-22 2017-09-12 拜椰特(上海)软件技术有限公司 A kind of morphology analytical tool

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"跨站脚本攻击及防范技术研究";邓袁,等;《电脑知识与技术》;20120627;第8卷(第6期);全文 *

Also Published As

Publication number Publication date
CN109218284A (en) 2019-01-15

Similar Documents

Publication Publication Date Title
CN109922052B (en) Malicious URL detection method combining multiple features
CN101964025B (en) XSS detection method and equipment
US9032516B2 (en) System and method for detecting malicious script
KR101757697B1 (en) Apparatus and Method for marking documents with executable text
US8646088B2 (en) Runtime enforcement of security checks
KR101874373B1 (en) A method and apparatus for detecting malicious scripts of obfuscated scripts
CN109347882B (en) Webpage Trojan horse monitoring method, device, equipment and storage medium
JP2004164617A (en) Automated detection of cross site scripting vulnerability
CN101751530B (en) Method for detecting loophole aggressive behavior and device
AU2018298640B2 (en) Determination device, determination method, and determination program
CN105488400A (en) Comprehensive detection method and system of malicious webpage
CN111556036A (en) Detection method, device and equipment for phishing attack
US20200104494A1 (en) File security using file format validation
CN115766184A (en) Webpage data processing method and device, electronic equipment and storage medium
CN113067792A (en) XSS attack identification method, device, equipment and medium
US20070130620A1 (en) Method, computer arrangement, computer program and computer program product for checking for the presence of control statements in a data value
CN114398673A (en) Application compliance detection method and device, storage medium and electronic equipment
CN109218284B (en) XSS vulnerability detection method and device, computer equipment and readable medium
CN107301345B (en) Method, system and device for preventing XSS attack
CN111125704B (en) Webpage Trojan horse recognition method and system
CN107315677B (en) Method and device for judging abnormity of application program
CN110162729B (en) Method and device for establishing browser fingerprint and identifying browser type
CN104239514A (en) Webpage rendering method, device and mobile terminal
CN116361793A (en) Code detection method, device, electronic equipment and storage medium
CN115774873A (en) Cross-site scripting attack detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant